Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1678394pxu; Sun, 6 Dec 2020 03:47:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwPVYFbvK+SY3/Ap8ToDxVuURYZkSwqII21WjAw7wXs86R7YUAaLw0N3XVT1WpX8qChODly X-Received: by 2002:a50:c315:: with SMTP id a21mr15612419edb.50.1607255231046; Sun, 06 Dec 2020 03:47:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607255231; cv=none; d=google.com; s=arc-20160816; b=fp7mbgwO+GnhhrBiGGkq3eChZMfX4e5VhnUEDYQHerHcdFlWpSMlTTUp7AOI8MnOx4 i45ERUAeTFggw7Rw4x2EINVwwMzJvKjluyQHDRS5YPzkabzEenFqwm4DjOjTPIoqmQRp oK2pgGfZgPahOFcB9x0tYU7v0IukY8dhSDCQT5YhjymSPB3OuFKONgluYXb9MxCkgRQ8 JOh7e0FcqAYREARRNI6NyTct1h1V2hR9FIZtUVlwNhub4Ois484ACF7inZWSQKhPLB8w 3pWddsZmAWHLU7rr/qm92PpzuMYVvphWgWH8bzcTMqpWZfZZz7vMaMGTZkD4F90mC/4s cK8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=8M5zEoeQeMxZ56JqaVsnMinCkXaK3+YXRAuvn3TadB4=; b=pUkmJlPiCDAj5+KpSBi6WDeVJ7wJ9GGUaXjod7BIyHAbTYDpKTYTwhdyNxk/Hr2K6t A/Y4PxgiI5f08eQX92/9YSVa+ODfPOJ5XODXEmAzQFhL/0rlEtHl4CdFQOTPaumT8TEp W1EfsBHxLrGTM8jiLhp+qEZilYvLkFl5q3zqJ37hfmM54iRI5ET8v2vBubzHAS0QVYE6 dhHQdTKRj5LDy69X5a73oDtK+GgNeeMlefkG/vRKvc+7GNBIWDAPodMSMtTmGeRFi+n7 Q/jxWj2z0ENLbGq//wJ76zDX0LyyvkbMVIbtoTg4FozXBlD0LwViWLHKlfl8EQ/vUAUn wq7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o27si1086706edi.277.2020.12.06.03.46.48; Sun, 06 Dec 2020 03:47:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729023AbgLFLmr (ORCPT + 99 others); Sun, 6 Dec 2020 06:42:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:41906 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727924AbgLFLmp (ORCPT ); Sun, 6 Dec 2020 06:42:45 -0500 From: Greg Kroah-Hartman Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maria Pasechnik , Antoine Tenart , Jakub Kicinski Subject: [PATCH 5.4 23/39] net: ip6_gre: set dev->hard_header_len when using header_ops Date: Sun, 6 Dec 2020 12:17:27 +0100 Message-Id: <20201206111555.783347806@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201206111554.677764505@linuxfoundation.org> References: <20201206111554.677764505@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antoine Tenart [ Upstream commit 832ba596494b2c9eac7760259eff2d8b7dcad0ee ] syzkaller managed to crash the kernel using an NBMA ip6gre interface. I could reproduce it creating an NBMA ip6gre interface and forwarding traffic to it: skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:109! Call Trace: skb_push+0x10/0x10 ip6gre_header+0x47/0x1b0 neigh_connected_output+0xae/0xf0 ip6gre tunnel provides its own header_ops->create, and sets it conditionally when initializing the tunnel in NBMA mode. When header_ops->create is used, dev->hard_header_len should reflect the length of the header created. Otherwise, when not used, dev->needed_headroom should be used. Fixes: eb95f52fc72d ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap") Cc: Maria Pasechnik Signed-off-by: Antoine Tenart Link: https://lore.kernel.org/r/20201130161911.464106-1-atenart@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/ipv6/ip6_gre.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -1120,8 +1120,13 @@ static void ip6gre_tnl_link_config_route return; if (rt->dst.dev) { - dev->needed_headroom = rt->dst.dev->hard_header_len + - t_hlen; + unsigned short dst_len = rt->dst.dev->hard_header_len + + t_hlen; + + if (t->dev->header_ops) + dev->hard_header_len = dst_len; + else + dev->needed_headroom = dst_len; if (set_mtu) { dev->mtu = rt->dst.dev->mtu - t_hlen; @@ -1146,7 +1151,12 @@ static int ip6gre_calc_hlen(struct ip6_t tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen; t_hlen = tunnel->hlen + sizeof(struct ipv6hdr); - tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen; + + if (tunnel->dev->header_ops) + tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen; + else + tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen; + return t_hlen; }